====== 01 Linux ipsec Server ======

===== IPsec Server側 =====

==== 環境 ====

CentOS release 6.8
libreswan-3.15-7.3
xl2tpd-1.3.8-1

==== インストール ====

  # yum -y --enablerepo=epel install openswan xl2tpd

==== xl2tpd ====

一番下に下記を追加
<code|/etc/xl2tpd/xl2tpd.conf>
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
</code>

==== ppp ====

一番下に下記を追加
<code|/etc/ppp/options.xl2tpd>
netmask 255.255.255.0
persist
require-mschap-v2
logfile /var/log/xl2tpd.log
</code>

<code|/etc/ppp/chap-secrets>
# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
"[username]" * "[password]" *
</code>


==== IPsec用の事前共有鍵 ====

<code|/etc/ipsec.d/default.secrets>
: PSK "[共有鍵]"
</code>

==== iptables使っている場合開放 ====
<code>
# L2TP/IPsec
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
</code>


==== sysctl.conf ====

一番下に下記を追加
<code|/etc/sysctl.conf>
net.core.xfrm_larval_drop = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
</code>

==== 起動 ====
<code>
/sbin/service xl2tpd start
/sbin/service ipsec start
/sbin/chkconfig xl2tpd on
/sbin/chkconfig ipsec on
/sbin/sysctl -p
</code>


{{tag>ipsec}}